Bump @metamask/snaps-controllers from 13.1.0 to 16.0.0

[dependabot]

Bumps @metamask/snaps-controllers from 13.1.0 to 16.0.0.

Commits

• 98669a2 release: 129.0.0 (#3704)
• 7baa5d9 refactor: base controller migration (#3611)
• 98d7c04 chore: Add @metamask-previews/* to NPM age gate exceptions (#3699)
• 18b335e chore: fix some minor issues in the comments (#3682)
• 68a2b0c chore: Bump Yarn to 4.10.3 and configure NPM age gate (#3691)
• 3fda705 release: 128.0.0 (#3690)
• fff1ef6 chore: Revert "release: 128.0.0 (#3685)" (#3688)
• e246ad7 release: 128.0.0 (#3685)
• aa6cc78 docs(contributing): update Node.js version to 20 to match engines (#3604)
• 1f14fa8 fix: Wait for unlock before handling manageAccounts requests (#3686)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Upgrade @metamask/snaps-controllers to ^17.0.0 with cascading updates across MetaMask packages and related dependencies (lockfile refresh).

• Dependencies:
  • Upgrade @metamask/snaps-controllers to ^17.0.0.
  • Cascade updates to MetaMask ecosystem packages:
    • @metamask/approval-controller@^8, @metamask/base-controller@^9, @metamask/controller-utils@^11.16, @metamask/json-rpc-engine@^10.2, @metamask/json-rpc-middleware-stream@^8.0.8, @metamask/messenger@^0.3, @metamask/permission-controller@^12.1.1, @metamask/phishing-controller@^15.0.1, @metamask/rpc-errors@^7.0.3, @metamask/snaps-rpc-methods@^14.1.1, @metamask/snaps-sdk@^10.1.0, @metamask/snaps-utils@^11.6.1, @metamask/utils@^11.8.1, @metamask/slip44@^4.3.0, @metamask/providers@^22.1.1.
  • Add/update supporting libs in lockfile (e.g., ses@^1.14.0, @endo/*, klona, @types/lodash).
• Lockfile:
  • Regenerate yarn.lock to reflect new versions and dependencies.

^{Written by Cursor Bugbot for commit 0274d48. This will update automatically on new commits. Configure here.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​snaps-controllers@​13.1.0 ⏵ 17.0.0	+1		+2

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm klona is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a deep clone utility (klona) with careful handling to avoid prototype pollution and to clone common JavaScript types. The primary concern is that objects with non-plain constructors are instantiated via new x.constructor(), which could execute user-defined constructor logic and potentially have side effects. Aside from that, there are no malicious behaviors such as data exfiltration, backdoors, or network activity. Overall security risk is low to moderate depending on trust in input objects; the constructor path is the main anomaly to monitor in usage. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/snaps-controllers@17.0.0 → npm/klona@2.0.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/klona@2.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Bug: Dependency Mismatch Causes Runtime Errors

Dependency version mismatch: @metamask/snaps-controllers has been bumped to ^16.0.0, which requires @metamask/snaps-sdk ^10.0.0 and @metamask/snaps-utils ^11.6.1, but package.json still specifies the older versions @metamask/snaps-sdk ^8.1.0 and @metamask/snaps-utils ^10.1.0. This will cause runtime errors when scripts that use @metamask/snaps-controllers attempt to call functions or use types that depend on the newer versions.